Encrypted ZFS for off-site backups

Tags:

As I recently discussed,
I use zfs replication for my off-site backups, manually moving volumes
from my home to a second location on a semi-regular schedule.

Of course, I would rather that if one of these drives were stolen or lost
that the thief not have a copy of all my data. Therefore, I use geli to encrypt
the entire zpool.

I chose to set up geli using only a passphrase; you can also use keyfiles,
but since one purpose of these off-site disks is to recover from catastrophic
data loss, by choosing not to use a keyfile I don't have to worry about how
to preserve the keyfile offsite safely.

Setting up the encrypted pool the first time is easy (the file geli-password
contains the password):

On my system (no AES acceleration), zfs receive peaks at about 100MB/s which is
quite adequate for replication duties. (this is with -o compression=gzip which
probably also impacts the top speed)

Update: More recently, I've worked on some portable software to decrypt data from AES-128-XTS geli volumes, in case I
ever need to read one of these backups and all I have is Linux (with ZOL or
zfs-fuse, presumably).